Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

September 27, 2014

Shellshock and MacOSX

Most Linux Distros have released patches for the recently-discovered “Shellshock” bug in /bin/bash. Apple has not, despite the fact that it uses bash as the default system shell (/bin/sh).

If you are running a webserver, you are vulnerable. Even if you avoid the obvious pitfall of writing CGI scripts as shellscripts, you are still vulnerable if one of your Perl (or PHP) scripts calls out to system(). Even Phusion Passenger is vulnerable. And, yes, this vulnerability is being actively exploited on the Web.

Some of these look like harmless probes; others (like the one which tries to download and run an IRCbot on your machine) less so.

If you’re not running a webserver, the danger is less clear. There are persistent (but apparently incorrect) rumours that Apple’s DHCP client may be vulnerable. If true, then your iPhone could easily be pwned by a rogue DHCP server (running on someone’s laptop) at Starbucks.

I don’t know what to do about your iPhone, but at least you can patch your MacOSX machine yourself.

The following instructions (adapted from this blog post) are for MacOSX 10.9 (Mavericks). The idea is to download Apple’s source code for bash, patch it using the official bash patches, and recompile. If you are running an earlier version of MacOSX, you’ll have to download the appropriate package from Apple and use the corresponding patches for bash. Of course, you’ll need XCode, which is free from the App Store.

You absolutely need a working version of /bin/sh for your system to function.

If you have a bunch of machines to update (as I did), you may be better-off copying the new versions of bash and sh onto a thumb drive and using that to update your other machines.

Update (9/28/2014):

Apple has issued a statement to the effect that ordinary client systems are not remote-exploitable. At least as far as DHCP goes, that seems to be the case. The DHCP client functionality is implemented by the IPConfiguration agent, run by configd; no shellscripts are involved (unlike, say, under Linux). There are other subsystems to worry about (CUPS, SNMP, …), even on “client” systems. But I think I’ll give Apple the benefit of the doubt on that score.

Update (9/29/2014):

Apple has finally issued Bash patches for Mavericks, Mountain Lion and Lion. Oddly, these only bring Bash up to 3.2.53, rather than 3.2.54 (which is the latest, and hopefully final, iteration defanging the Shellshock attack).

Posted by distler at September 27, 2014 12:58 PM

TrackBack URL for this Entry: https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/2769

2 Comments & 0 Trackbacks

Re: Shellshock and MacOSX

It’s incredible how many vulnerabilities made headlines this past year alone. On a related note, Comodo is doing some awesome things for the internet security space. A friend of mine who works there recently showed me one of their patented technologies which automatically sandboxes everything on the fly, and lets files which are clear of any malicious intent out. It’s called containment, you’ll probably like their approach.

Re: Shellshock and MacOSX

If anyone is interested there is a tool called “masscan” that lets you quickly scan a big range of IP ranges for vulnerabilities like this. And I guess you could also do it with nmap, but it’s not optimized to scan a large amount of host efficiently (tip: disabling dns resolution helps a lot for scanning speed).